Wolverine Access vulnerability discovered

By Laurel Thomas Gnagey

Technology experts say it is unlikely student records were compromised by a recent security problem found in Wolverine Access, but as a precaution they have sent a notice to students explaining the series of events that led to the discovery of vulnerability in the system and encouraging them to keep track of billing statements and credit reports for any signs of inappropriate activity.

More than a week ago, a student using a nonstandard browser discovered, upon opening a series of windows, that he could access student home addresses and Social Security numbers. The student immediately reported the problem to the IT User Advocate. The problem was fixed within hours.

Upon investigation, it was discovered that Wolverine Access most likely was vulnerable since Feb. 9, the go-live date for the latest version of the software, says Laura Patterson, associate vice president for administrative systems. She stresses that it is unlikely student records were exposed to others, and that Michigan Administrative Information Services (MAIS) representatives are certain that none were altered.

"Only authorized University users of Wolverine Access can get into the system through authentication involving a user ID and password," Patterson says. "And the vulnerability existed only with browsers not supported for use with the system, not for the primary browser used by the vast majority of students."

Patterson says the series of actions the student used to find the flaw were not typical of those used by students who are registering or performing other functions with the software, further making it unlikely anyone else discovered the vulnerability.

Before the new version was rolled out, some 40,000 hours went into testing the system, including security, she says.

"Vulnerabilities such as this one are part of the cost of living in a digital era," Patterson says. "The only way to secure personal data with 100 percent certainty is not to offer services such as registration online. Yet students tell us this service is very important to them.

"As long as we continue to implement new technologies, there is the risk that unexpected vulnerabilities will be discovered. But we are committed to doing everything in our power to protect student privacy."